Hi,
I created an api gateway in AWS. Everything seems to work except when using the HTTPS listener.
When using the HTTP listener I am able to reach an echo-1 service that I deployed but not when using HTTPS. When using HTTPS in the browser I get the following result “ERR_CONNECTION_RESET”
In the logs of the api-gateway pod I see this message. I don’t know if it’s related to the issue I am facing:
{"timestamp":"2023-04-20 15:34:02.274","thread":"24","level":"warning","name":"config","source":"./source/common/config/grpc_stream.h:163","message":"StreamSecrets gRPC config stream to sds-cluster closed: 2, failed to parse certificate PEM"}
And here are some more logs
{"timestamp":"2023-04-20 16:02:59.275","thread":"15","level":"debug","name":"pool","source":"source/common/conn_pool/conn_pool_base.cc:214","message":"[C1] destroying stream: 0 remaining"}
{"timestamp":"2023-04-20 16:02:59.275","thread":"15","level":"debug","name":"http","source":"source/common/http/async_client_impl.cc:105","message":"async http request response headers (end_stream=true):
':status', '200'
'content-type', 'application/grpc'
'grpc-status', '2'
'grpc-message', 'failed to parse certificate PEM'
"}
{"timestamp":"2023-04-20 16:02:59.275","thread":"15","level":"warning","name":"config","source":"./source/common/config/grpc_stream.h:163","message":"StreamSecrets gRPC config stream to sds-cluster closed: 2, failed to parse certificate PEM"}
{"timestamp":"2023-04-20 16:02:59.275","thread":"15","level":"debug","name":"config","source":"source/common/config/grpc_subscription_impl.cc:115","message":"gRPC update for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret failed"}
{"timestamp":"2023-04-20 16:02:59.275","thread":"15","level":"debug","name":"http2","source":"source/common/http/http2/codec_impl.cc:1481","message":"[C1] stream 203 closed: 0"}
{"timestamp":"2023-04-20 16:02:59.275","thread":"15","level":"debug","name":"http2","source":"source/common/http/http2/codec_impl.cc:1534","message":"[C1] Recouping 0 bytes of flow control window for stream 203."}
{"timestamp":"2023-04-20 16:02:59.275","thread":"15","level":"debug","name":"http2","source":"source/common/http/http2/codec_impl.cc:1364","message":"[C1] sent reset code=0"}
{"timestamp":"2023-04-20 16:02:59.282","thread":"22","level":"debug","name":"config","source":"source/extensions/transport_sockets/tls/ssl_socket.cc:447","message":"Create NotReadySslSocket"}
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
name: cumulus-api-gateway
annotations:
'service.beta.kubernetes.io/aws-load-balancer-scheme': 'internal'
'service.beta.kubernetes.io/aws-load-balancer-type': 'nlb-ip'
spec:
gatewayClassName: consul-c-gateway-class
listeners:
- protocol: HTTP
port: 80
name: http
allowedRoutes:
namespaces:
from: All
- protocol: HTTPS
port: 443
name: https
allowedRoutes:
namespaces:
from: All
tls:
certificateRefs:
- name: test-tls
mode: Terminate
options:
api-gateway.consul.hashicorp.com/tls_min_version: "TLSv1_2"
Here is the GatewayClassConfig
---
apiVersion: api-gateway.consul.hashicorp.com/v1alpha1
kind: GatewayClassConfig
metadata:
name: consul-c-gateway-class-config
spec:
logLevel: debug
copyAnnotations:
service:
- service.beta.kubernetes.io/aws-load-balancer-scheme
- service.beta.kubernetes.io/aws-load-balancer-type
- service.beta.kubernetes.io/aws-load-balancer-ssl-cert
- service.beta.kubernetes.io/aws-load-balancer-backend-protocol
- service.beta.kubernetes.io/aws-load-balancer-ssl-ports
consul:
scheme: http
ports:
http: 8500
grpc: 8502
serviceType: LoadBalancer
Here is the Gateway Class
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: GatewayClass
metadata:
name: consul-c-gateway-class
spec:
controllerName: hashicorp.com/consul-api-gateway-controller
parametersRef:
group: api-gateway.consul.hashicorp.com
kind: GatewayClassConfig
name: consul-c-gateway-class-config
Any help is greatly appreciated as I have been trying to solve this issue for a few days now.